Overview

overview

10

Static

static

3

locker.exe

windows7-x64

1

locker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    locker.exe

  • Size

    2.3MB

  • MD5

    66c6dfe570b7e10fc9b62614a6bb0476

  • SHA1

    75ca6a5a47105af2855ace988f2e86fb8d54f56a

  • SHA256

    b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13

  • SHA512

    90659304debcbe88595c469e1846ff2f8544da480dcd75ba591079eabfa8e9cca9535f8f8130114f33f5c4317a95c735c26386bbd357a9451b9af2391762db54

  • SSDEEP

    24576:w/F1XGA9DHYdqQiF/swJ0r6ck59yjFGWG04J2ksswOGpyCP5WfWr:w91XRlYdqxF/QU5EH6wOVCBW

Score
10/10
credential_accessdiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.imgur.com/DQ6FCxz.png

Signatures

  • Renames multiple (8746) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Drops desktop.ini file(s) 31 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\locker.exe
    "C:\Users\Admin\AppData\Local\Temp\locker.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://i.imgur.com/DQ6FCxz.png', 'C:\Users\Admin\AppData\Local\Temp\Wallpaper.png')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Wallpaper { [DllImport(\"user32.dll\", CharSet = CharSet.Auto)] public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); public static void Set(string path) { SystemParametersInfo(20, 0, path, 3); } }'; [Wallpaper]::Set('C:\Users\Admin\AppData\Local\Temp\Wallpaper.png')"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Sets desktop wallpaper using registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5708
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tkmesomz\tkmesomz.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6128
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8056.tmp" "c:\Users\Admin\AppData\Local\Temp\tkmesomz\CSC77EC6FEF6B1242AEB6FDD4D3554B523.TMP"
          4⤵
            PID:6072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\R3ADM3.txt
      Filesize

      576B

      MD5

      f23030d9016bf550545665639ffe3329

      SHA1

      95195c349f6929832a1e7e3d1bd11ebfb2cbce1b

      SHA256

      747d06005c5539438076a0b5d3396727420aeb8c0c6348cd62324f530d0dde28

      SHA512

      6601c4e0af52ca5436dc12280813b0abd963a4ff1fa51af39a09d771b7898604205b74a12ad4597fa1970fc6477cae0b378887156130cf0c73a994c61924703b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      055cd1930e45c3d77aa744d53bcc29d9

      SHA1

      af1464daf329f36930b71fb33119c61a13472b6d

      SHA256

      fcd4a469c653f6bd319b201326633c2183a70184bc159c071915a9c4abd92d3c

      SHA512

      00ee038f281f34c7d727b7d6d7734bdfc61ee742b33edc5f905adae6afa949b9a9da8c575d949e98b24b59005e469628e99f113e0fc612dc24bbba7f098fa65d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES8056.tmp
      Filesize

      1KB

      MD5

      c3c39deca4baef1c7994382f087e1388

      SHA1

      d022c3e64eb9ae625302195a8e4c6ef4245ce871

      SHA256

      85b2f3ba07a968743297f70bbf83bbe4598ebf3a237944d7beffc84118bf7c11

      SHA512

      5b7eb3ded574fa9e6bd139e837ef8f8ef04fc496e6e345f82b832fdf36c7b1d72ec466ad8aed2e2fd0858b58e4b81549b4584fad4449b5749568caedfb7e31e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4o5mmgk.pmf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tkmesomz\tkmesomz.dll
      Filesize

      3KB

      MD5

      bf2ebe2cefb910d6466369d58c0c471b

      SHA1

      3ea062b65eb61fe97eaca6c85fc5f4d42506a601

      SHA256

      fda7a82629fafcdde5813cc1ef7f3d1c5dddf85dbbe4380f7384771e7498d415

      SHA512

      3e5f79edbf105bbf69ba7c757c978b939935d58af0bc236fb4f5a95ed9c2ce41e875f6136797f06226b926d98118d76b40b9175ec8edaaf7307d63a5a42f6f85

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tkmesomz\CSC77EC6FEF6B1242AEB6FDD4D3554B523.TMP
      Filesize

      652B

      MD5

      358dead0724827d624d2c21d12cb5f5f

      SHA1

      f4ed31268befbd138992530f29bbded7a1e3ba34

      SHA256

      aa356e8b4fb3bf2457c73f9bf1ea9ca5fa7e502f7d1dadd7d4708807f49204e9

      SHA512

      20dc8951ddf7d9d36b2b3b9abdbca46f7b8c6b1cb76b2413835c923f49b6652aeef721378683af1cd60dc47201015087179da497c37c1a35a640bf92217254ab

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tkmesomz\tkmesomz.0.cs
      Filesize

      312B

      MD5

      945a8245afef16ce6654338c6a4b1ab7

      SHA1

      165014157ca311751105fdf7c7c105a1a7b113a0

      SHA256

      331b27fcd961cc9e94bb774dfa7e1b8c5999d91f0f820924dc7c60a6610c1246

      SHA512

      d598cdb315ad50340efd7c52fd31ae9aef585281c3a384d84f1def0ce9782ac324087fede7c0b1157eea9b40c0fc3cbc650f646a9c93260efcfaf7bdf962be5e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tkmesomz\tkmesomz.cmdline
      Filesize

      369B

      MD5

      45ce1d92c80c15af9939aef146397ce5

      SHA1

      31049c1d9c78c736a581010b6f5ddb259c80eb72

      SHA256

      81a73100f909e7a7149633eceaaae255fb4323c9b10898b697676185939948c2

      SHA512

      dfc48ae4fc192edda2e14b3859ab74735064ff454c7da0ff10149d6e4f066770d3333f705a8c1ca4416000cf7fcca02d530ef879d786b7375355b121e23025c2

      Download Submit

    • memory/5404-52966-0x00007FF8CF040000-0x00007FF8CFB01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5404-52962-0x00007FF8CF040000-0x00007FF8CFB01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5404-52952-0x00007FF8CF040000-0x00007FF8CFB01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5404-52951-0x000001AFC0000000-0x000001AFC0022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5404-52950-0x00007FF8CF043000-0x00007FF8CF045000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5708-52968-0x00007FF8CF040000-0x00007FF8CFB01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5708-52978-0x00007FF8CF040000-0x00007FF8CFB01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5708-52980-0x00007FF8CF040000-0x00007FF8CFB01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5708-52993-0x00000258216A0000-0x00000258216A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5708-52996-0x00007FF8CF040000-0x00007FF8CFB01000-memory.dmp

      Filesize

      10.8MB

      Download